git.baikalelectronics.ru Git - kernel.git/commit

author	John Johansen <john.johansen@canonical.com>
	Sun, 26 May 2019 13:42:23 +0000 (06:42 -0700)
committer	John Johansen <john.johansen@canonical.com>
	Tue, 18 Jun 2019 23:04:16 +0000 (16:04 -0700)
commit	75a6a3f2e28fad1e7882d04dc04223445f61fd49
tree	13b8eacded2d8e3ddc80eb1ee00fa12c398ed6dd	tree \| snapshot
parent	d73125cc180909e702d5803dd3769dbb5d995e4e	commit \| diff

apparmor: fix PROFILE_MEDIATES for untrusted input

While commit a807ddab18782 ("apparmor: add a default null dfa") ensure
every profile has a policy.dfa it does not resize the policy.start[]
to have entries for every possible start value. Which means
PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately
commit c943199d72bf ("apparmor: remove POLICY_MEDIATES_SAFE") did not
take into account the start value usage.

The input string in profile_query_cb() is user controlled and is not
properly checked to be within the limited start[] entries, even worse
it can't be as userspace policy is allowed to make us of entries types
the kernel does not know about. This mean usespace can currently cause
the kernel to access memory up to 240 entries beyond the start array
bounds.

Cc: stable@vger.kernel.org
Fixes: c943199d72bf ("apparmor: remove POLICY_MEDIATES_SAFE")
Signed-off-by: John Johansen <john.johansen@canonical.com>